Educause Security Discussion mailing list archives
FERPA Final Rules Released Today
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Tue, 9 Dec 2008 08:15:46 -0700
[Please excuse the cross-posts. I wanted to make sure that the CIO, ICPL, and Security communities had immediate access to this announcement. Please let me know if you have any questions.] The FERPA Final Rules appeared in today's Federal Register. See http://edocket.access.gpo.gov/2008/pdf/E8-28864.pdf (PDF) or http://edocket.access.gpo.gov/2008/E8-28864.htm (HTML). You may recall that the proposed rules addressed issues ranging from the status of SSN and student ID number as "directory information" to matters of "health and safety emergencies" and the "notification of parents". We will complete a more thorough analysis of the changes in the coming days, but I urge you to share this announcement with your FERPA officer and legal counsel and seek their advice regarding implementation. A few of the important information technology and information security items that we addressed in our written comments to the proposed rules were addressed by the Department of Education as follows: SSN's and Student ID - the Department said that "directory information does not include a student's- (1) Social security number; or (2) Student identification (ID) number, except as provided in paragraph (c) of this section. (c) Directory information includes a student ID number, user ID, or other unique personal identifier used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the authorized user. (emphasis added) Information Security - the Department said, "We acknowledge that there are many sources available concerning information security technology and processes. The Department does not wish to appear to endorse the information or product of any company or organization; therefore, we have included only Federal government sources in this notice." They continue, "Although FERPA does not dictate requirements for safeguarding education records, the Department encourages the holders of personally identifiable information to consider actions that mitigate the risk and are reasonably calculated to protect such information. Of course, an educational agency or institution may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available to the institution; the context of the information; the type of information to be protected (such as social security numbers or directory information); and methods used by other institutions in similar circumstances. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable." (emphasis added) Security Breach Notification - FERPA does not require an educational agency or institution to notify students that information from their education records was stolen or otherwise subject to an unauthorized release, although it does require the agency or institution to maintain a record of each disclosure. In any case, direct student notification may be advisable if the compromised data includes student SSNs and other identifying information that could lead to identity theft. Control of Access to Education Records by School Officials - the resulting standard is to "use reasonable methods to ensure that school officials have access to only those education records in which the official has a legitimate educational interest." The Department said, "We believe that the standard of ''reasonable methods'' is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs." (emphasis added) Outsourcing - the Department said that "one way in which schools can ensure that parties understand their responsibilities under FERPA with respect to education records is to clearly describe those responsibilities in a written agreement or contract." They continued, "Schools outsourcing information technology services, such as web-based and e-mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements established by the educational agency or institution that discloses the information." Please let me know if you have any further questions. -Rodney -------------------------------------------------- Rodney J. Petersen, J.D. Government Relations Officer & Security Task Force Coordinator EDUCAUSE 1150 18th Street, N.W., Suite 1010 Washington, D.C. 20036 (202) 331-5368 / (202) 872-4200 (202) 872-4318 (FAX) EDUCAUSE/Internet2 Security Task Force www.educause.edu/security --------------------------------------------------
Current thread:
- FERPA Final Rules Released Today Rodney Petersen (Dec 09)